融合全局图拓扑与多尺度掩码卷积的漏洞检测方法

doi:10.3778/j.issn.1673-9418.2507064

摘要/Abstract

摘要： 基于序列的深度学习方法在建模源代码的结构特征方面存在不足，而图神经网络（GNN）虽然可以通过聚合邻居节点信息丰富当前节点表征，但无法有效获取图的全局特征信息，且难以捕获图节点间长距离依赖。为克服上述问题，提出了一种融合全局图拓扑与多尺度掩码卷积的门控漏洞检测方法（GTMC-VD）。在该方法中，利用开源工具（Joern）将源代码转换为代码属性图（CPG），采用词嵌入模型（Word2Vec）对图中节点进行嵌入以获得图中节点的初始表示，设计并实现了图全局拓扑编码器。该编码器利用图卷积网络（GCN）的输出作为节点重要性评分，利用该评分对图结构进行简化，并对邻接矩阵和节点特征进行更新，通过层次化的策略实现逐层优化并采用不同池化层获取多尺度的拓扑信息，最终聚合以获取图的全局特征。之后采用两个不同尺度的卷积核捕捉节点之间的依赖关系，同时针对变长图数据引入掩码机制，避免因填充节点带来的噪声干扰，实现了多尺度掩码卷积模块。最终，引入门控机制，自适应融合两个模块的输出结果，并得到模型最终检测结果。在两个公开数据集上的大量实验表明，所提方法有效解决了上述两个问题，并在准确率、精确率、召回率和[F1]分数指标上相比于基准模型（Devign）分别提高了6.69、4.43、13.63和8.17个百分点。总之，GTMC-VD有效获取了图的全局特征，且缓解了基于GCN模型无法捕捉长距离依赖的问题，为漏洞检测任务提供了一种更为鲁棒且高效的解决方案。

关键词: 漏洞检测, 图神经网络, 图拓扑, 多尺度卷积, 掩码机制

Abstract: Sequence-based deep learning methods exhibit limitations in modeling the structural characteristics of source code. Although graph neural networks (GNNs) can aggregate neighborhood information to enrich node representations, they struggle to effectively capture global graph representations and long-range dependencies among nodes. To address these challenges, this paper proposes a novel approach named GTMC-VD (global graph topology and multi-scale masked convolution network for vulnerability detection). In this method, source code is first transformed into a code property graph (CPG) using the Joern tool. Subsequently, the Word2Vec algorithm is applied to embedding nodes within the graph, generating initial node representations. This paper designs and implements the global graph topology encoder that leverages GCN (graph convolutional networks) outputs as node importance scores. The graph structure is then simplified via the score, updating the adjacency matrix and node features accordingly. A hierarchical pooling strategy is employed to get multi-scale topological information and aggregate it to obtain comprehensive global graph representation. Within the multi-scale masked convolution module, two convolutional kernels of different scales are used to capture relationships between both distant and neighboring nodes. Additionally, a masking mechanism is introduced to handle variable-length graph data, mitigating noise caused by padding nodes. Finally, a gating mechanism adaptively fuses the outputs of the two components to produce the final vulnerability detection result. Extensive experiments on two public datasets show that the proposed method effectively addresses the aforementioned two problems, achieving improvements of 6.69, 4.43, 13.63, and 8.17 percentage points in Accuracy, Precision, Recall and F1-Score, respectively, compared with the baseline model (Devign). In summary, GTMC-VD effectively captures global graph features while mitigating the limitation of GCN-based models in capturing long-range dependencies, providing a more robust and effective solution for vulnerability detection tasks.

Key words: vulnerability detection, graph neural networks, graph topology, multi-scale convolution, mask mechanism

黄安博, 曲海成, 姜庆玲. 融合全局图拓扑与多尺度掩码卷积的漏洞检测方法[J]. 计算机科学与探索, 2025, 19(11): 3072-3082.

HUANG Anbo, QU Haicheng, JIANG Qingling. Vulnerability Detection Method Integrating Global Graph Topology and Multi-scale Masked Convolution[J]. Journal of Frontiers of Computer Science and Technology, 2025, 19(11): 3072-3082.

参考文献

[1] Synopsys. “2025 open source security and risk analysis”report[EB/OL]. [2025-05-09]. https://www.blackduck.com.
[2] LIN G J, WEN S, HAN Q L, et al. Software vulnerability detection using deep neural networks: a survey[J]. Proceedings of the IEEE, 2020, 108(10): 1825-1848.
[3] 苏小红, 郑伟宁, 蒋远, 等. 基于学习的源代码漏洞检测研究与进展[J]. 计算机学报, 2024, 47(2): 337-374.
SU X H, ZHENG W N, JIANG Y, et al. Research and progress on learning-based source code vulnerability detection[J]. Chinese Journal of Computers, 2024, 47(2): 337-374.
[4] ZHOU X, CAO S C, SUN X B, et al. Large language model for vulnerability detection and repair: literature review and the road ahead[J]. ACM Transactions on Software Engineering and Methodology, 2025, 34(5): 1-31.
[5] SHESTOV A, LEVICHEV R, MUSSABAYEV R, et al. Finetuning large language models for vulnerability detection[J]. IEEE Access, 2025, 13: 38889-38900.
[6] CHEN C, SU J Z, CHEN J C, et al. When ChatGPT meets smart contract vulnerability detection: how far are we?[J]. ACM Transactions on Software Engineering and Methodology, 2025, 34(4): 1-30.
[7] PANG Y, LIU X F, HUANG T, et al. Graph-based contract sensing framework for smart contract vulnerability detection[J]. IEEE Transactions on Big Data, 2025. DOI: 10.1109/TBDATA.2025.3594303.
[8] YAMAGUCHI F, GOLDE N, ARP D, et al. Modeling and discovering vulnerabilities with code property graphs[C]//Proceedings of the 2014 IEEE Symposium on Security and Privacy. Piscataway: IEEE, 2014: 590-604.
[9] SCARSELLI F, GORI M, TSOI A C, et al. The graph neural network model[J]. IEEE Transactions on Neural Networks, 2009, 20(1): 61-80.
[10] WEN X C, CHEN Y P, GAO C Y, et al. Vulnerability detection with graph simplification and enhanced graph representation learning[C]//Proceedings of the 45th International Conference on Software Engineering. Piscataway: IEEE, 2023: 2275-2286.
[11] MIKOLOV T, CHEN K, CORRADO G S, et al. Efficient estimation of word representations in vector space[C]//Proceedings of the 1st International Conference on Learning Representations, 2013.
[12] RUSSELL R, KIM L, HAMILTON L, et al. Automated vulnerability detection in source code using deep representation learning[C]//Proceedings of the 17th IEEE International Conference on Machine Learning and Applications. Piscataway: IEEE, 2018: 757-762.
[13] YAN H, LUO S L, PAN L M, et al. HAN-BSVD: a hierarchical attention network for binary software vulnerability detection[J]. Computers & Security, 2021, 108: 102286.
[14] HOVSEPYAN A, SCANDARIATO R, JOOSEN W, et al. Software vulnerability prediction using text analysis techniques[C]//Proceedings of the 4th International Workshop on Security Measurements and Metrics. New York: ACM, 2012: 7-10.
[15] BROWN P F, PIETRA V J D, SOUZA P V D, et al. Class-based n-gram models of natural language[J]. Computational Linguistics, 1992, 18(4): 467-479.
[16] KRIZHEVSKY A, SUTSKEVER I, HINTON G E. ImageNet classification with deep convolutional neural networks[J]. Communications of the ACM, 2017, 60(6): 84-90.
[17] MIKOLOV T, ZWEIG G. Context dependent recurrent neural network language model[C]//Proceedings of the 2012 IEEE Spoken Language Technology Workshop. Piscataway: IEEE, 2012: 234-239.
[18] LI Z, ZOU D Q, XU S H, et al. VulDeePecker: a deep learning-based system for vulnerability detection[C]//Proceedings of the 2018 Network and Distributed System Security Symposium, 2018.
[19] LI Z, ZOU D Q, XU S H, et al. SySeVR: a framework for using deep learning to detect software vulnerabilities[J]. IEEE Transactions on Dependable and Secure Computing, 2022, 19(4): 2244-2258.
[20] CHUNG J, GULCEHRE C, CHO K, et al. Empirical evaluation of gated recurrent neural networks on sequence modeling[EB/OL]. [2025-05-09]. https://arxiv.org/abs/1412.3555.
[21] HOCHREITER S, SCHMIDHUBER J. Long short-term memory[J]. Neural Computation, 1997, 9(8): 1735-1780.
[22] TIAN J F, XING W J, LI Z. BVDetector: a program slice-based binary code vulnerability intelligent detection system[J]. Information and Software Technology, 2020, 123: 106289.
[23] CHO K, VAN MERRIENBOER B, GULCEHRE C, et al. Learning phrase representations using RNN encoder-decoder for statistical machine translation[C]//Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing. Stroudsburg: ACL, 2014: 1724-1734.
[24] VASWANI A, SHAZEER N, PARMAR N, et al. Attention is all you need[C]//Advances in Neural Information Processing Systems 30, 2017: 5998-6008.
[25] TAO W X, SU X H, KE Y K, et al. Transformer-based statement level vulnerability detection by cross-modal fine-grained features capture[J]. Knowledge-Based Systems, 2025, 316: 113341.
[26] HANIF H, MAFFEIS S. VulBERTa: simplified source code pre-training for vulnerability detection[C]//Proceedings of the 2022 International Joint Conference on Neural Networks. Piscataway: IEEE, 2022: 1-8.
[27] RAHMAN M M, CEKA I, MAO C Z, et al. Towards causal deep learning for vulnerability detection[C]//Proceedings of the 46th IEEE/ACM International Conference on Software Engineering. New York: ACM, 2024: 1-11.
[28] 耿辰, 常舒予, 黄海平. 零样本场景下基于提示工程的智能合约漏洞检测研究[J]. 信息对抗技术, 2024(2): 70-81.
GENG C, CHANG S Y, HUANG H P. Prompt engineering for smart contract vulnerability detection in zero-shot scenarios[J]. Information Countermeasure Technology, 2024(2): 70-81.
[29] DU X Y, ZHENG G, WANG K X, et al. Vul-RAG: enhancing LLM-based vulnerability detection via knowledge-level RAG[EB/OL]. [2025-05-09]. https://arxiv.org/abs/2406.11147.
[30] SIOW J K, LIU S Q, XIE X F, et al. Learning program semantics with code representations: an empirical study[C]//Proceedings of the 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering. Piscataway: IEEE, 2022: 554-565.
[31] ZHOU Y Q, LIU S Q, SIOW J, et al. Devign: effective vulnerability identification by learning comprehensive program semantics via graph neural networks[EB/OL]. [2025-05-09]. https://arxiv.org/abs/1909.03496.
[32] LI Y J, TARLOW D, BROCKSCHMIDT M, et al. Gated graph sequence neural networks[EB/OL]. [2025-05-10]. https://arxiv.org/abs/1511.05493.
[33] JIANG B, ZHANG Z Y, LIN D D, et al. Semi-supervised learning with graph learning-convolutional networks[C]//Proceedings of the 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2019: 11313-11320.
[34] ZHENG W N, JIANG Y, SU X H. Vu1SPG: vulnerability detection based on slice property graph representation learning[C]//Proceedings of the 32nd IEEE International Symposium on Software Reliability Engineering. Piscataway: IEEE, 2021: 457-467.
[35] SCHLICHTKRULL M, KIPF T N, BLOEM P, et al. Modeling relational data with graph convolutional networks[C]//Proceedings of the 15th International Conference on the Semantic Web. Cham: Springer, 2018: 593-607.
[36] LI M, LI C F, LI S L, et al. ACGVD: vulnerability detection based on comprehensive graph via graph neural network with attention[C]//Proceedings of the 23rd International Conference on the Information and Communications Security. Cham: Springer, 2021: 243-259.
[37] LIU Z Y, ZHOU J. Graph attention networks[M]//Introduction to graph neural networks. Cham: Springer, 2020: 39-41.
[38] GHAFFARIAN S M, SHAHRIARI H R. Neural software vulnerability analysis using rich intermediate graph representations of programs[J]. Information Sciences, 2021, 553: 189-207.
[39] CHAKRABORTY S, KRISHNA R, DING Y, et al. Deep learning based vulnerability detection: are we there yet?[J]. IEEE Transactions on Software Engineering, 2022, 48(9): 3280-3296.
[40] LING M, TANG M, BIAN D, et al. A dual graph neural networks model using sequence embedding as graph nodes for vulnerability detection[J]. Information and Software Technology, 2025, 177: 107581.